Say Hello to Chip and Pin

No, it’s not a Penn & Teller rip-off act – it’s a new credit card format. On August 9th Visa announced that they are going to aggressively encourage merchants to switch over to Chip and Pin (CAP) ‘smart’ credit cards. Europay-Mastercard-Visa (EMV) developed a smart credit card format standard many years ago, and the technology was adopted by many other countries over the next decade. In the US adoption has never really happened. That’s about to change, because Visa will give merchants a pass on PCI compliance if they adopt smart cards, or let them assume 100% of fraud liability if they don’t.

Why the new push? Because it helps Visa’s and Mastercard’s bottom lines. There are a couple specific reasons Visa wants this changeover, and security is not at the top of their list. The principal benefit is that CAP cards allow applications to be installed and run on the card. This opens up new revenue opportunities for card issuers, as they bolster affinity programs and provide additional card functionality. Things like card co-branding, recurring payments, coupons, discounted pricing from merchants, card-to-card gifting, and pre-paid transit tokens are all examples. Second, they feel that CAP opens up new markets and will engender broader use of the cards. The smart card industry in general is worried about loss of market share to smart phones that can provide the same features as CAP-based smart cards. In fact we see payment applications of all types popping up, many of which are (now) sponsored by credit card companies to avoid market share erosion. Finally, the card companies want to issue a single card type, standardizing cards and systems across all markets.

Don’t get me wrong – Security absolutely is a benefit of CAP. ‘Smart’ credit cards are much harder to forge, offering much better security for ‘card present’ transactions, as the point-of-sale terminal can electronically validate the card. And the card can encrypt data locally, making it much easier to support (true) end-to-end encryption so sensitive data is not exposed while processing payments. Most smart cards do not help secure Internet purchases or card-not-present transactions over the phone. What scares me about this announcement is that Visa is willing to waive PCI DSS compliance for merchants that switch 75% or more of their transaction to CAP-based smart cards! Vissa is offering this as an incentive for large merchants to make the change. The idea is that the savings on security, audit preparation, and remediation will offset the costs of the new hardware and software. Visa has not specified whether this will be limited to the POS part of the audit, or if they mean all parts of the security specification, but the press release suggests the former.

Merchants have resisted this change because the terminals are expensive! To support CAP you need to swap out terminals at a hefty per-terminal cost, upgrade supporting point-of-sale software, and alter some payment processing systems. Even small businesses – gas stations, fast food, grocery stores, etc. – will require sizable investment to support CAP. Pricing obviously varies, but tends to run about $1,000 to $1600 per terminal. Small merchants who are not subject to external auditing will not benefit from the audit waiver that can save larger merchants so much, so they are expected to continue dragging their feet on adoption.

One last nugget for thought: If EMV can enforce end-to-end encryption, from terminal to payment processor, will they eventually disallow merchants from seeing any card or payment data? Will Visa fundamentally disrupt the existing card application space?

Comments:

If you like to leave comments, and aren't a spammer, register for the site and email us at info@securosis.com and we'll turn off moderation for your account.

By Ed Bellis on 08/11 at 04:26 AM

Since this doesn’t help security for card not present transactions I don’t see them being able to prevent merchants from touching payment data for those transactions(which is a significant portion of the market and growing). While it’s a step in the right direction, it doesn’t fully address the fundamental problem of payment card security. It’s also a very costly transition. I would imagine for a lot of merchants, PCI compliance is cheaper than switching to chip and pin. I believe the only way they were able to pull this off in Europe was through regulation.

By Walt Conway on 08/11 at 04:28 AM

Adrian,

Your post makes some very good and important points, particularly about security.

Two important corrections, though. First, Visa is definitely *not* going to “waive PCI compliance.” What they are waiving is the merchant’s (and only the largest ones, as you point out) need to *re-validate* compliance. That is, once a merchant validates PCI compliance, they don’t need to re-validate the next year under TIP. Visa’s release notes that they still require the merchant to be PCI compliant.

The second thing is that the merchants don’t need to switch “75% or more of their transactions” to smart cards. Actually, the bar is lower. To participate, merchants need only switch 75% of their *authorizations* to the “dual-interface” terminals. Whether they have 1% or 75% actually on chip cards, they get the TIP incentives (such as they are).

The other interesting thing about Visa’s announcement is that it doesn’t cost the brand or their issuers anything to make this change to merchant systems. Where in the past they offered incentive interchange fees (i.e., lower costs) to cover the cost of new technology, TIP gets the merchants to pay for it themselves. Some incentive… (Full disclosure, I’m a QSA so I might be biased.)

Lastly, don’t forget the liability transfer part of the announcement. That’s the stick that will be used if the TIP carrot doesn’t work.

It will be interesting to see what the other brands do or don’t do. Visa may be the biggest, but they are not the only card brand. If the others still require PCI validation each year there is not much benefit to TIP. Also I hope there is some incentive for small and medium-sized merchants to get some break. They are the source of many breaches, and it would be good if there was some way they could cover the cost of upgrading their POS and back office technology.

By Bob on 08/11 at 07:08 AM

“Merchants have resisted this change because the terminals are expensive! “

I did a cursory search on google and found units for $50.
What do you consider expensive?

By Colin Cassidy on 08/11 at 12:01 PM

One of the other pushes for Chip and Pin is that it removes the effects of fraud from the credit card companies. In Europe Visa/Mastercard have effectively argued that Chip & Pin is secure and therefore any fraud that has occured is the fault of the card holder, because they must not have secured their pin properly.

Also I point interested parties to http://www.lightbluetouchpaper.org and in particular http://www.lightbluetouchpaper.org/2010/02/26/reliability-of-chip-pin-evidence-in-banking-disputes/

CJC

By Mark Wilkinson on 08/11 at 12:42 PM

I’m obviously not drawing the same conclusions as you from the announcements that Visa has made. I don’t believe that they are intending to “waive PCI DSS compliance” for qualifying merchants: what they’re waiving is the need to validate compliance each year. There’s even a section in the bulletin headed “Merchants Must Maintain PCI DSS Compliance” that makes the position pretty clear.

Given that 96% of level 1 and 2 merchants in the US are now validated as PCI DSS compliant, Visa seem comfortable with lifting the annual re-validation in the hope that they can redirect some of the money saved into rolling out new POS terminals. What I found interesting is that they’re also co-opting this money into paying to roll out Visa’s contactless payment infrastructure as well, to create a beachhead in the battle for the mobile payment sector.

By Adrian Lane on 08/11 at 01:40 PM

Walt - thanks for the clarification. Do you have a reference that explains this in more detail?

You’ll notice that I stayed away from many of the security aspects of CAP as I wanted to make it clear this is about more money and less liability for EMV - not about user or issuer security. That said, the response to the Cambridge attack shows how the liability is being thrown back in the face of the card users.

Thanks to @Beaker for the Blackhat presentation reference: http://t.co/jyLXOSA - and thank you Colin for the link.

The original Cambridge reference is here: http://www.cl.cam.ac.uk/research/security/banking/nopin/

-Adrian

By Walt Conway on 08/11 at 02:22 PM

Adrian,
Here are some links, all from Visa. It may be more than you want to know!

This one talks about plans, and links to three other bulletins:
http://usa.visa.com/download/merchants/bulletin-us-adopt-dynamic-authentication-080911.pdf?Aug082011

This is the one about dual-interface terminals, and the EMV/NFC technologies. It also has details on TIP and what “waive PCI compliance validation” means. That is, four steps, stay compliant, update your incident response plan, etc:
http://usa.visa.com/download/merchants/bulletin-tip-us-merchants-080911.pdf?Aug082011

The liability shift is the stick that goes with Visa’s carrot (such as it is). To me this says two things: merchants and acquirers update your POS or you eat any and all POS fraud losses; and the US will have chip cards widely available by October 2015:
http://usa.visa.com/download/merchants/bulletin-us-participation-liability-shift-080911.pdf?Aug082011

Not as many people seem to be paying attention to the liability shift, which may be pretty important in its own right.